Solved: Why do correlation searches in Enterprise Security...

koshyk · ‎02-02-2016

hi,

I was looking into the out-of-box Splunk correlation searches in Splunk Enterprise Security (ES) and it contains allow_old_summaries=true and not summariesOnly=true. Both give me the same set of results.

Time required to run the original Splunk Searches takes me >220 seconds, but with summariesOnly=true, it gives me exactly same output in 8 seconds. So was thinking why Splunk didn't do it in first place? Will data be missed if I use summariesOnly=true?

stanwin · ‎02-03-2016

When you add the summariesonly=t flag, this tells the data model only to look at existing accelerated data (tsidx.) If you dont have acceleration configured, or it hasnt run fully, then you wont get results.

From https://answers.splunk.com/answers/301913/where-and-when-do-we-use-summariesonlyt-with-datam.html

also

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Tstats

View solution in original post

stanwin · ‎02-03-2016

When you add the summariesonly=t flag, this tells the data model only to look at existing accelerated data (tsidx.) If you dont have acceleration configured, or it hasnt run fully, then you wont get results.

From https://answers.splunk.com/answers/301913/where-and-when-do-we-use-summariesonlyt-with-datam.html

also

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Tstats

koshyk · ‎02-04-2016

Thank you. So that means if we have accelerated data models(eg Splunk_TA_CIM), it is good enough to use "summariesonly=t"

Why do correlation searches in Enterprise Security not use "summariesOnly=true"?

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Instrumenting Java Websocket Messaging